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DETAILED ACTION 

1 . This communication is in response to the Amendment filed 06/06/2008. 

Response to Arguments 

2. Claims 24 - 46 are pending in this Office Action, after a further search and a 
thorough examination of the present application, the claims 24 - 46 remain rejected. 
The claim objections to claims 24 - 46 are withdrawn in view of the amendment. 

3. Applicant's arguments filed with respect to claims have been fully considered but 
they are not persuasive. The rejection is maintained and citations are proved in the 
rejection below. 

Applicant argues that Williams does not disclose the use of the regulations data 
as located. Furthermore, Applicant tries to summarize the reference used and then 
states that the regulation data is not taught. 

Examiner respectfully disagrees and states that Williams teaches the use of the 
regulations data and the regulatory polices in paragraphs 52, 54, 57 and 61 - 62, of 
Williams, where it is disclosed how these policies are integrated with security and 
vulnerability concerns. Furthermore, the applicant mischaracterizes the teaching of 
Williams in an effort to summarize the teachings. Regardless, the instant application 
claims the provision of regulation data and determination of regulation data being 
applied to vulnerabilities and these features are taught by Williams in paragraphs 54 
and 57 where the regulatory and regulation policies are provided and with the 
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combination of the audit repository and the compliance server the compliance server by 
analyzing the data determine the regulation and the vulnerability. 

Since the applicant's arguments after having been considered have not 
overcome the rejection, therefore the rejection is maintained. 

Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1 ) an application for patent, published under section 1 22(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by 
the applicant for patent, except that an international application filed under the treaty defined in 
section 351 (a) shall have the effects for purposes of this subsection of an application filed in the 
United States only if the international application designated the United States and was published 
under Article 21 (2) of such treaty in the English language. 

5. Claims 24 - 46 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Williams et al. ('Williams' herein after) (US 2005/0015623 A1). 

With respect to claim 24, 

Williams discloses a method for effectively and efficiently identifying violations of 
privacy and security and guidelines in an information system while documenting and 
accommodating the live process of compliance and security testing (paragraphs 91 , 
148, 151 and 153), comprising the steps of : 

a. providing vulnerability data having universal definitions applicable to different 
computing systems (paragraphs 54 and 70, Williams); 
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b. providing regulation data relating to and taken from a particular set of regulations 
(paragraphs 73 and 166, Williams); 

c. providing priority data relating to a list of vulnerabilities prioritized in a specific 
order (paragraph 212, Williams); 

d. providing keywords that are common to the vulnerability, regulation and priority 
data (paragraphs 0139 and 0141, Williams); 

e. searching for the keywords in the vulnerability, regulation and priority data 
(paragraphs 0139 and 0141, Williams); 

f. creating relational data based upon the searching step, the relational data 
establishes a specific relationship between the vulnerability, regulation and 
priority data (paragraphs 0053 and 0136 - 0137, Williams); 

g. determining a computer configuration for a target to be tested (paragraphs 56 
and 103, Williams); 

h. customizing a screening process for the target using the computer configuration 
found in the determining step (paragraphs 57 and 99, Williams); 

i. testing for vulnerability violations in the target based upon the customized 
screening process (paragraphs 92 - 93 and 135, Williams); 

j. determining, according to the vulnerability violations, which regulation data 

applies to which vulnerability data and the priority of the vulnerability violations by 
a relational database for providing a mapping between the vulnerabilities and the 
regulations (Figures 2 and 3, Williams); and 
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k. creating a prioritized report corresponding to the vulnerability violations and the 
regulations that apply to the vulnerability violations (Figures 2 and 3, Williams). 

With respect to claim 25, 

Williams discloses the method of claim 24 wherein the set of regulations are 
defined by Health Insurance Portability and Accountability Act (paragraph 0066, 
Williams). 

With respect to claim 26, 

Williams discloses the method of claim 24 wherein the set of regulations are 
defined by Graham Leach Bailey Act (paragraph 0066, Williams). 

With respect to claim 27, 

Williams discloses the method of claim 24 wherein the vulnerability violations are 
stored in a memory (paragraph 147, Williams). 

With respect to claim 28, 

Williams discloses the method of claim 24 wherein the testing step further 
comprises scanning a target to provide a system scan (paragraphs 0109, Williams). 



With respect to claim 29, 
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Williams discloses the method of claim 28 further comprising the step of 
providing a test set as a function of the system scan (paragraphs 01 1 1 - 01 12, 
Williams). 

With respect to claim 30, 

Williams discloses the method of claim 24 the prioritized report further includes 
an IP address of the target (paragraph 0170, Williams). 

With respect to claim 31 , 

Williams discloses the method of claim 24 wherein the vulnerabilities data is 
defined by Common Vulnerabilities and Exposures (paragraph 0168, Williams). 

With respect to claim 32, 

Williams discloses a information system for effectively and efficiently identifying 
violations of privacy and security and guidelines while documenting and accommodating 
the live process of compliance and security testing (paragraphs 91, 148, 151 and 153), 
comprising: 

a. a vulnerability database having universal definitions applicable to different 
computing systems (paragraphs 54 and 70, Williams); 

b. a regulation database relating to and taken from a particular set of regulations 
(paragraphs 73 and 166, Williams); 
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c. a priority database relating to a list of vulnerabilities prioritized in a specific order 
(paragraph 212, Williams); 

d. means for providing keywords that are common to the vulnerability, regulation 
and priority data (paragraphs 0139 and 0141 , Williams); 

e. searching means for searching for the keywords in the vulnerability, regulation 
and priority data (paragraphs 01 39 and 0141, Williams); 

f. a memory for storing relational data that was created by the searching means, 
the relational data establishes a specific relationship between the vulnerability, 
regulation and priority databases (paragraphs 0053 and 0136 - 0137, Williams); 

g. first determining means for determining a computer configuration for a target to 
be tested (paragraphs 56 and 103, Williams); 

h. customizing means for customizing a screening process for the target using the 
computer configuration found in the first determining means (paragraphs 57 and 
99, Williams); 

i. testing means for testing for vulnerability violations in the target based upon the 
customized screening process (paragraphs 92 - 93 and 135, Williams); 

j. second determining means for determining, according to the vulnerability 
violations, which regulation data applies to which vulnerability data and the 
priority of the vulnerability violations by a relational database for providing a 
mapping between the vulnerabilities and the regulations (Figures 2 and 3, 
Williams); and 
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k. a prioritized report corresponding to the vulnerability violations and the 

regulations that apply to the vulnerability violations (Figures 2 and 3, Williams). 

With respect to claim 33, 

Williams discloses the system of claim 32 wherein the set of regulations are 
defined by Health Insurance Portability and Accountability Act (paragraph 0066, 
Williams). 

With respect to claim 34, 

Williams discloses the system of claim 32 wherein the set of regulations are 
defined by Graham Leach Bailey Act (paragraph 0066, Williams). 

With respect to claim 35, 

Williams discloses the system of claim 32 wherein the vulnerability violations are 
stored in a memory (paragraph 147, Williams). 

With respect to claim 36, 

Williams discloses the system of claim 32 wherein the testing means further 
comprises scanning a target to provide a system scan (paragraphs 0109, Williams). 



With respect to claim 37, 
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Williams discloses the system of claim 36 further comprising a test set as a 
function of the system scan (paragraphs 01 1 1 - 01 1 2, Williams). 

With respect to claim 38, 

Williams discloses the system of claim 32 wherein the prioritized report further 
includes an IP address of the target (paragraph 0170, Williams). 

With respect to claim 39, 

Williams discloses the system of claim 24 wherein the vulnerabilities data is 
defined by Common Vulnerabilities and Exposures (paragraph 0168, Williams). 

With respect to claim 40, 

Williams discloses the computer-executable process steps, stored on a computer- 
readable medium and executable by a processor to perform the steps of: 

a. document and accommodate a live process of compliance and security testing 
(paragraphs 91 , 148, 151 and 153) 

b. provide vulnerability data having universal definitions applicable to different 
computing systems (paragraphs 54 and 70, Williams); 

c. provide regulation data relating to and taken from a particular set of regulations 
(paragraphs 73 and 166, Williams); 

d. provide priority data relating to a list of vulnerabilities prioritized in a specific order 
(paragraph 212, Williams); 
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e. provide keywords that are common to the vulnerability, regulation and priority 
data (paragraphs 0139 and 0141, Williams); 

f. search for the keywords in the vulnerability, regulation and priority data 
(paragraphs 0139 and 0141, Williams); 

g. create relational data based upon the search step, the relational data establishes 
a specific relationship between the vulnerability, regulation and priority data 
(paragraphs 0053 and 0136 - 0137, Williams); 

h. determine a computer configuration for a target to be tested (paragraphs 56 and 
103, Williams); 

i. customize a screening process for the target using the computer configuration 
found in the determine step (paragraphs 57 and 99, Williams); 

j. test for vulnerability violations in the target based upon the customized screening 

process (paragraphs 92 - 93 and 135, Williams); 
k. determine, according to the vulnerability violations, which regulation data applies 

to which vulnerability data and the priority of the vulnerability violations by a 

relational database for providing a mapping between the vulnerabilities and the 

regulations (Figures 2 and 3, Williams); and 
I. create a prioritized report corresponding to the vulnerability violations and the 

regulations that apply to the vulnerability violations (Figures 2 and 3, Williams). 

With respect to claim 41 , 
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Williams discloses the steps of claim 40 wherein the set of regulations are 
defined by Health Insurance Portability and Accountability Act (paragraph 0066, 
Williams). 

With respect to claim 42, 

Williams discloses the steps of claim 40 wherein the set of regulations are 
defined by Graham Leach Bailey Act (paragraph 0066, Williams). 

With respect to claim 43, 

Williams discloses the steps of claim 40 wherein the test step further comprises 
scanning a target to provide a system scan (paragraphs 0109, Williams). 

With respect to claim 44, 

Williams discloses the steps of claim 43 further comprising the step of providing a 
test set as a function of the system scan (paragraphs 01 1 1 - 01 1 2, Williams). 

With respect to claim 45, 

Williams discloses the steps of claim 40 wherein the prioritized report further 
includes an IP address of the target (paragraph 0170, Williams). 



With respect to claim 46, 
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Williams discloses the steps of claim 40 wherein the vulnerabilities data is defined by 
Common Vulnerabilities and Exposures (paragraph 0168, Williams). 
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Conclusion 

6. THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded 
of the extension of time policy as set forth in 37 CFR 1 .136(a). 
A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 
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Contact Information 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Navneet K. Ahluwalia whose telephone number is 571- 
272-5636. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Alam T. Hosain can be reached on 571-272-3978. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Navneet K. Ahluwalia/ 
Examiner, Art Unit 2166 

Dated: 09/19/2008 
/Hosain T Alam/ 

Supervisory Patent Examiner, Art Unit 2166 



